=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 18-10-2022 18:00 − Mittwoch 19-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Adobe patcht Illustrator außer der Reihe ∗∗∗
---------------------------------------------
Nach dem großen Patchday letzte Woche legt Adobe nun zwei Updates gegen kritische Lücken im Illustrator nach.
---------------------------------------------
https://heise.de/-7314003
∗∗∗ AMD, Google, Microsoft, Nvidia: Offengelegter Sicherheitsprozessor Caliptra ∗∗∗
---------------------------------------------
Branchenschwergewichte setzen auf RISC-V-Technik für offengelegte Hardware-Security. Sie könnte Black-Box-Umsetzungen wie Microsofts Pluton ersetzen.
---------------------------------------------
https://heise.de/-7313272
∗∗∗ Achtung Betrug: Bewerben Sie sich nicht als „Process Tester“ bei page-rangers.de ∗∗∗
---------------------------------------------
page-rangers.de bietet einen gut bezahlten Minijob als „App-Tester“. Die Arbeit wird von zu Hause aus erledigt und benötigt keine speziellen Anforderungen. Sie erhalten täglich kleine Aufträge, z. B. die Benutzerfreundlichkeit bei der Eröffnung eines Bankkontos zu testen. Doch Vorsicht: Mit diesem Job stehlen Kriminelle Ihre Identität. Mit dem erstellten Bankkonto wird in Ihrem Namen Geld gewaschen!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-betrug-bewerben-sie-sich-nic…
∗∗∗ Defenders beware: A case for post-ransomware investigations ∗∗∗
---------------------------------------------
The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/10/18/defenders-beware-a-case-…
∗∗∗ Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk ∗∗∗
---------------------------------------------
Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web [...]
---------------------------------------------
https://msrc-blog.microsoft.com/2022/10/19/awareness-and-guidance-related-t…
∗∗∗ Are Internet Scanning Services Good or Bad for You?, (Wed, Oct 19th) ∗∗∗
---------------------------------------------
I'm in Luxembourg to attend the first edition of the CTI Summit[1]. There was an interesting keynote performed by Patrice Auffret[2], the founder of Onyphe, about "Ethical Internet Scanning in 2022". They are plenty of online scanners that work 24x7 to build a map of the Internet. They scan the entire IP addresses space and look for interesting devices, vulnerabilities, etc. Big players are Shodan, Onyphe, Censys, ZoomEye, etc.
---------------------------------------------
https://isc.sans.edu/diary/rss/29164
∗∗∗ Fully undetectable Windows backdoor gets detected ∗∗∗
---------------------------------------------
SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/10/18/fully_undete…
∗∗∗ A New Attack Surface on MS Exchange Part 4 - ProxyRelay! ∗∗∗
---------------------------------------------
Hi, this is a long-time-pending article. We could have published this article earlier (the original bug was reported to MSRC in June 2021 with a 90-days Public Disclosure Policy). However, during communications with MSRC, they explained that since this is an architectural design issue, lots of code changes and testings are expected and required, so they hope to resolve this problem with a one-time CU (Cumulative Update) instead of the regular Patch Tuesday.
---------------------------------------------
https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4…
∗∗∗ Warning: "FaceStealer" iOS and Android apps steal your Facebook login ∗∗∗
---------------------------------------------
FaceStealer is back. As a seasoned threat to legitimate app stores, expect it to be gone and then back again.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2022/10/warning-facestealer-ios-and-…
∗∗∗ TeamTNT Returns – or Does It? ∗∗∗
---------------------------------------------
Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.h…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bcel, kernel, node-xmldom, and squid), Mageia (chromium-browser-stable, dhcp, dokuwiki, firefox, golang, python-joblib, sos, and unzip), Oracle (nodejs and nodejs:16), Red Hat (firefox, kernel, kernel-rt, nodejs, nodejs:14, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (git and mozilla), SUSE (amazon-ssm-agent, caasp-release, cri-o, patchinfo, release-notes-caasp, skuba, enlightenment, libreoffice, netty, nodejs12, nodejs14, [...]
---------------------------------------------
https://lwn.net/Articles/911723/
∗∗∗ Oracle Releases 370 New Security Patches With October 2022 CPU ∗∗∗
---------------------------------------------
Oracle on Tuesday announced the release of 370 patches as part of its quarterly set of security updates. The October 2022 Critical Patch Update (CPU) resolves over 50 critical-severity vulnerabilities. More than 200 of the newly released security patches deal with vulnerabilities that are remotely exploitable without authentication.
---------------------------------------------
https://www.securityweek.com/oracle-releases-370-new-security-patches-octob…
∗∗∗ Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function UPDATE A ∗∗∗
---------------------------------------------
UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SETCPX-CMXX to affected products.
Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-036/
∗∗∗ K30425568: Overview of F5 vulnerabilities (October 2022) ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K30425568
∗∗∗ CVE-2021-3772 Linux Kernel Vulnerability in NetApp DSA E2800 series ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-609377-bt.html
∗∗∗ Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000 ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-454166-bt.html
∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Golang Go vulnerabilities (CVE-2022-27664 and CVE-2022-32190) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v…
∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera…
∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by vulnerability in Dojo [CVE-2021-23450] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage…
∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-…
∗∗∗ Security Bulletin: CMIS is affected since it uses Spring Framework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cmis-is-affected-since-it…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to JUnit4 (CVE-2020-15250) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23302) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 17-10-2022 18:00 − Dienstag 18-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CVE-2022-42889: Keep Calm and Stop Saying "4Shell" ∗∗∗
---------------------------------------------
[...] The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.
In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-st…
∗∗∗ Europol: Festgenommene Autodiebe stahlen Fahrzeuge mittels Software ∗∗∗
---------------------------------------------
In Frankreich wurden 31 Mitglieder einer Diebesbande festgenommen, die Autos mit schlüssellosen Zugangssystemen per Software gestohlen haben sollen.
---------------------------------------------
https://www.golem.de/news/europol-festgenommene-autodiebe-stahlen-fahrzeuge…
∗∗∗ Sicherheit: Antivirensoftware blockiert Thunderbird-Updates ∗∗∗
---------------------------------------------
Statt für Sicherheit zu sorgen, blockieren Avast und AVG Thunderbird-Updates. Das soll bereits seit dreieinhalb Monaten der Fall sein.
---------------------------------------------
https://www.golem.de/news/sicherheit-antivirensoftware-blockiert-thunderbir…
∗∗∗ Fake-Shop Alarm: Vorsicht vor betrügerischen Solar- und Photovoltaik-Shops ∗∗∗
---------------------------------------------
Shops wie elektrox-solar.at und horizon-shot.com täuschen mit professionellem Design und gestohlenen Impressumsdaten. Lassen Sie sich von diesen Fake-Shops nicht in die Falle locken! So erkennen Sie Fake-Solar-Shops online.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-vor-betrueg…
∗∗∗ Das Salz in der Suppe: Salts als unverzichtbare Zutat bei der Passwortspeicherung für Applikationen ∗∗∗
---------------------------------------------
Die Verwendung eines Salt bei der Passwortspeicherung verhindert die Vorberechnung des Hash. Als zusätzliches Geheimnis kann ein Pepper verwendet werden.
---------------------------------------------
https://www.syss.de/pentest-blog/das-salz-in-der-suppe-salts-als-unverzicht…
∗∗∗ WordPress 6.0.3 erschienen ∗∗∗
---------------------------------------------
Gerade habe ich die Meldung erhalten, dass ein Wartungsupdate auf WordPress 6.0.3 erschienen ist. Dieses Update schließt einige Sicherheitslücken, die hier beschrieben sind.
---------------------------------------------
https://www.borncity.com/blog/2022/10/18/wordpress-6-0-3-erschienen/
∗∗∗ FLEXlm and Citrix ADM Denial of Service Vulnerability ∗∗∗
---------------------------------------------
On June 27, 2022, Citrix released an advisory for CVE-2022-27511 and CVE-2022-27512, which affect Citrix ADM (Application Delivery Management).
Rapid7 investigated these issues to better understand their impact, and found that the patch is not sufficient to prevent exploitation. We also determined that the worst outcome of this vulnerability is a denial of service - the licensing server can be told to shut down (even with the patch).
---------------------------------------------
https://www.rapid7.com/blog/post/2022/10/18/flexlm-and-citrix-adm-denial-of…
∗∗∗ Python Obfuscation for Dummies, (Tue, Oct 18th) ∗∗∗
---------------------------------------------
Recently, I found several malicious Python scripts that looked the same. They all contained the same strings at the end: [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/29160
∗∗∗ I’m in your hypervisor, collecting your evidence ∗∗∗
---------------------------------------------
Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response for the past few years has been to collect small forensic artefact packages using our internal data collection utility, “acquire”, usually deployed using the clients’ preferred method of software deployment. While this method works fine in most cases, we often encounter scenarios where deploying our software is tricky or downright impossible.
---------------------------------------------
https://blog.fox-it.com/2022/10/18/im-in-your-hypervisor-collecting-your-ev…
∗∗∗ Zoom for macOS Contains High-Risk Security Flaw ∗∗∗
---------------------------------------------
Video messaging technology powerhouse Zoom has rolled out a high-priority patch for macOS users alongside a warning that hackers could abuse the software flaw to connect to and control Zoom Apps.
---------------------------------------------
https://www.securityweek.com/zoom-macos-contains-high-risk-security-flaw
∗∗∗ Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims ∗∗∗
---------------------------------------------
Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week. In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in [...]
---------------------------------------------
https://therecord.media/dutch-police-obtain-155-decryption-keys-for-deadbol…
∗∗∗ Alchimist: A new attack framework in Chinese for Mac, Linux and Windows ∗∗∗
---------------------------------------------
Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines.
---------------------------------------------
http://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html
∗∗∗ Software Patch Management Policy Best Practices ∗∗∗
---------------------------------------------
Explore the top risk-based patch management policy best practices to mitigate the growing threat of vulnerability exploits in your organization.
---------------------------------------------
https://www.trendmicro.com/en_us/ciso/22/j/software-patch-management-policy…
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software ∗∗∗
---------------------------------------------
HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems.
---------------------------------------------
https://thehackernews.com/2022/10/critical-rce-vulnerability-discovered.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (glibc and libksba), Fedora (dhcp and kernel), Red Hat (.NET 6.0, .NET Core 3.1, compat-expat1, kpatch-patch, and nodejs:16), Slackware (xorg), SUSE (exiv2, expat, kernel, libreoffice, python, python-numpy, squid, and virtualbox), and Ubuntu (linux-azure and zlib).
---------------------------------------------
https://lwn.net/Articles/911562/
∗∗∗ Advantech R-SeeNet ∗∗∗
---------------------------------------------
Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-291-01
∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to XStream (CVE-2021-43859) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to remove traversal due to Apache Commons IO (CVE-2021-29425) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-…
∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy…
∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow – CVE-2022-35279 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 14-10-2022 18:00 − Montag 17-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Prestige: Microsoft findet neue Ransomware in Polen und Ukraine ∗∗∗
---------------------------------------------
Das Sicherheitsteam von Microsoft hat eine komplett neue Ransomware-Kampagne gegen den Logistik- und Transportsektor in der Ukraine und Polen entdeckt.
---------------------------------------------
https://www.golem.de/news/prestige-microsoft-findet-neue-ransomware-in-pole…
∗∗∗ Office 365: Microsofts E-Mail-Verschlüsselung ist unsicher ∗∗∗
---------------------------------------------
Die E-Mail-Verschlüsselung von Microsoft 365 setzt auf AES in einem unsicheren Modus. Dadurch können Rückschlüsse auf die Inhalte gezogen werden.
---------------------------------------------
https://www.golem.de/news/office-365-microsofts-e-mail-verschluesselung-ist…
∗∗∗ Schwachstelle im Linux-Kernel ermöglicht Codeschmuggel via WLAN ∗∗∗
---------------------------------------------
Ein IT-Sicherheitsforscher hat Schwachstellen im Linux-Kernel gefunden. Angreifer könnten durch manipulierte WLAN-Pakete beliebigen Code einschleusen.
---------------------------------------------
https://heise.de/-7309762
∗∗∗ Support-Ende für VMware ESXi 6.5 und 6.7 - noch viele Alt-Systeme aktiv ∗∗∗
---------------------------------------------
Am 15. Oktober hat VMware den Support für VMware ESXi 6.5 und 6.7 eingestellt. Aktuellen Zahlen zufolge sind noch viele veraltete Systeme im Einsatz.
---------------------------------------------
https://heise.de/-7310412
∗∗∗ Neue Ransomware-Gang „Ransom Cartel“ ∗∗∗
---------------------------------------------
Der IT-Sicherheitsanbieter Palo Alto Networks und dessen Malware-Analyseteam Unit42 haben Erkenntnisse zu „Ransom Cartel“ gewonnen. Es handelt sich um eine Ransomware as a Service (RaaS)-Anbieter, der Mitte Dezember 2021 erstmals aufgetaucht ist.
---------------------------------------------
https://www.zdnet.de/88404159/neue-ransomware-gang-ransom-cartel/
∗∗∗ Microsoft bestätigt: Windows patzt bei der Erkennung gefährlicher Treiber – Blocklisten nicht verteilt ∗∗∗
---------------------------------------------
Eigentlich sollte Windows bekannte, bösartige Treiber beim Laden blockieren, so dass diese keinen Schaden anrichten können. Zumindest hat Microsoft dies seit Jahren behauptet. Nun hat Microsoft unter der Hand zugegeben, dass man dort gepatzt hat.
---------------------------------------------
https://www.borncity.com/blog/2022/10/17/microsoft-besttigt-windows-patzt-b…
∗∗∗ Unseriöse Werbung auf Pinterest ∗∗∗
---------------------------------------------
Wie in jedem Sozialen Netzwerk gibt es auch auf Pinterest Werbung. In letzter Zeit vermehrt von unseriösen Online-Shops für Haar-Styling-Geräte und Shaping-Hosen. Die Produkte von zevoon.de, valurabeauty.de oder lusto.de wirken zwar vielversprechend, erfahrungsgemäß werden Sie aber enttäuscht und erhalten minderwertigen Schrott aus China. Wir zeigen Ihnen, bei welchen Shops Sie lieber nicht bestellen sollten.
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-werbung-auf-pinterest/
∗∗∗ New PHP information-stealing malware targets Facebook accounts ∗∗∗
---------------------------------------------
Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-php-information-stealing…
∗∗∗ Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4 ∗∗∗
---------------------------------------------
The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.
---------------------------------------------
https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html
∗∗∗ Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis ∗∗∗
---------------------------------------------
On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft fixed this vulnerability that was identified as CVE-2022-37969, which is a Windows Common Log File System Driver elevation of privilege vulnerability. An attacker who successfully exploits this vulnerability may gain SYSTEM privileges.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-windows-…
∗∗∗ Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files (0day) ∗∗∗
---------------------------------------------
In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW;
---------------------------------------------
https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-mark-of.html
∗∗∗ New Black Lotus UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals ∗∗∗
---------------------------------------------
A threat actor is promoting on underground criminal forums a vendor-independent UEFI rootkit that can disable security software and controls, cybersecurity veteran Scott Scheferman warns.
---------------------------------------------
https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-leve…
∗∗∗ Detecting Emerging Network Threats From Newly Observed Domains ∗∗∗
---------------------------------------------
We discuss how to discover potential threats among newly observed domains at the time they begin to carry attack traffic.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/
∗∗∗ CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool ∗∗∗
---------------------------------------------
CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/10/14/cisa-releases-red…
∗∗∗ Stories from the SOC: Feeling so foolish – SocGholish drive by compromise ∗∗∗
---------------------------------------------
SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals’ and organizations’ sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-10-14 ∗∗∗
---------------------------------------------
IBM InfoSphere Information Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct for HP NonStop, IBM Sterling File Gateway
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ MiniDVBLinux 5.4 Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Arbitrary File Read Vulnerability, Remote Root Command Execution Vulnerability, Remote Root Command Injection Vulnerability, Unauthenticated Stream Disclosure Vulnerability, Change Root Password PoC, Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit, Config Download Exploit
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/
∗∗∗ CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults ∗∗∗
---------------------------------------------
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with [...]
---------------------------------------------
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm).
---------------------------------------------
https://lwn.net/Articles/911461/
∗∗∗ WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-042/
∗∗∗ WAGO: Multiple Vulnerabilities in Controller with WAGO I/O-Pro / CODESYS 2.3 Runtime ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-040/
∗∗∗ TRUMPF TruTops prone to improper access control ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-023/
∗∗∗ Gitea: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1742
∗∗∗ Linux Kernel: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1741
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 13-10-2022 18:00 − Freitag 14-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Infostealer: Was ist das, wie werden sie verbreitet und wie lassen sie sich aufhalten? ∗∗∗
---------------------------------------------
Infostealer sind eine schädliche Software, die darauf ausgelegt ist, Ihre vertraulichen Daten zu stehlen. Hier erfahren Sie, was genau sie sind, wie sie verbreitet werden und wie sie sich aufhalten lassen.
---------------------------------------------
https://blog.emsisoft.com/de/41944/infostealer-was-ist-das-wie-werden-sie-v…
∗∗∗ Magniber ransomware now infects Windows users via JavaScript files ∗∗∗
---------------------------------------------
A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/magniber-ransomware-now-infe…
∗∗∗ What the Uber Hack can teach us about navigating IT Security ∗∗∗
---------------------------------------------
The recent Uber cyberattack shows us the myriad tactics employed by threat actors to breach corporate networks. Learn more about these tactics used and how to navigate IT Security.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/what-the-uber-hack-can-teach…
∗∗∗ Microsoft 365 Message Encryption Can Leak Sensitive Info ∗∗∗
---------------------------------------------
The default email encryption used in Microsoft Offices cloud version is leaky, which the company acknowledged but said it wouldnt fix.
---------------------------------------------
https://www.darkreading.com/application-security/microsoft-365-message-encr…
∗∗∗ Hunting for Cobalt Strike: Mining and plotting for fun and profit ∗∗∗
---------------------------------------------
Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike [...]
---------------------------------------------
https://msrc-blog.microsoft.com/2022/10/13/hunting-for-cobalt-strike-mining…
∗∗∗ Improvements in Security Update Notifications Delivery - And a New Delivery Method ∗∗∗
---------------------------------------------
At MSRC, we are passionate about ensuring our customers have a positive experience when they use the Microsoft Security Update Guide (SUG). A big part of improving that experience is ensuring that customers have timely and easily accessible notifications. As such we have two important announcements to share about changes to the way we provide notifications.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/10/12/14921/
∗∗∗ Analysis of a Malicious HTML File (QBot), (Thu, Oct 13th) ∗∗∗
---------------------------------------------
Reader Eric submitted a malicious HTML page that contains BASE64 images with malware.
---------------------------------------------
https://isc.sans.edu/diary/rss/29146
∗∗∗ Firefoxs New Service Gives You a Burner Phone Number To Cut Down on Spam ∗∗∗
---------------------------------------------
Firefox Relay, a Mozilla service designed to hide your "real" email address by giving you virtual ones to hand out, is expanding to offer virtual phone numbers. From a report: In a blog post Mozilla product manager Tony Amaral-Cinotto explains that the relay service generates a phone number for you to give out to companies if you suspect they might use it to send you spam messages in the future, or if you think they might share it with others who will.
---------------------------------------------
https://news.slashdot.org/story/22/10/13/1124240/firefoxs-new-service-gives…
∗∗∗ PiRogue Tool Suite Mobile forensic & network analysis on a Raspberry Pie ∗∗∗
---------------------------------------------
PiRogue tool suite (PTS) is an open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting mobile devices both Android and iOS, internet of things devices (devices that are connected to the user mobile apps), and in general any device using wi-fi to connect to the Internet.
---------------------------------------------
https://pts-project.org/
∗∗∗ PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin ∗∗∗
---------------------------------------------
Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.
---------------------------------------------
https://www.securityweek.com/poc-published-fortinet-vulnerability-mass-expl…
∗∗∗ Ransom Cartel Ransomware: A Possible Connection With REvil ∗∗∗
---------------------------------------------
Ransom Cartel is ransomware as a service (RaaS) that exhibits several similarities to and technical overlaps with REvil ransomware. Read our overview.
---------------------------------------------
https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/
∗∗∗ Seven tips to run effective security awareness campaigns ∗∗∗
---------------------------------------------
Planning large-scale security awareness campaigns throws up many questions to grapple with. How can you make sure your campaign reaches the right people? What’s the best way to inspire them to take action? And how do you run a security awareness campaign so realistic it gets banned by the national post office?
---------------------------------------------
https://connect.geant.org/2022/10/14/seven-tips-to-run-effective-security-a…
∗∗∗ Shodan Verified Vulns 2022-10-01 ∗∗∗
---------------------------------------------
Mit Stand 2022-10-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2022/10/shodan-verified-vulns-2022-10-01
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM Performance Management, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Cloud Pak System
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Fedora (dbus, dhcp, expat, kernel, thunderbird, vim, and weechat), Mageia (libofx, lighttpd, mediawiki, and python), Oracle (.NET 6.0 and .NET Core 3.1), Slackware (python3), SUSE (chromium, kernel, libosip2, python-Babel, and python-waitress), and Ubuntu (gThumb, heimdal, linux-aws, linux-gcp-4.15, linux-aws-hwe, linux-gcp, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, postgresql-9.5, and xmlsec1).
---------------------------------------------
https://lwn.net/Articles/911168/
∗∗∗ Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service ∗∗∗
---------------------------------------------
This advisory contains mitigations for Allocation of Resources Without Limits or Throttling and Code Injection vulnerabilities in versions of Hitachi Energy Lumada Asset Performance Manager (APM) software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-286-05
∗∗∗ OpenSSL Infinite loop when parsing certificates CVE-2022-0778 ∗∗∗
---------------------------------------------
Version: 1.7, Date: 14-Oct-2022, Description: Fixed product(s) lists are updated: GMS, Analytics, SonicWave, SonicSwitch, Connect Tunnel Client.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
∗∗∗ Joomla KSAdvertiser 2.5.37 Cross Site Scripting ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022100035
∗∗∗ Android App "IIJ SmartKey" vulnerable to information disclosure ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN74534998/
∗∗∗ Pulse Secure Pulse Connect Secure: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1717
∗∗∗ Red Hat Enterprise Linux (Advanced Cluster Management): Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1715
∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1719
∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1720
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 12-10-2022 18:00 − Donnerstag 13-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New Alchimist attack framework targets Windows, macOS, Linux ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new attack and C2 framework called Alchimist, which appears to be actively used in attacks targeting Windows, Linux, and macOS systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-alchimist-attack-framewo…
∗∗∗ SiteCheck Malware Trends Report – Q3 2022 ∗∗∗
---------------------------------------------
Our free SiteCheck remote website scanner provides immediate insights about malware infections, blocklisting, website anomalies, and errors for millions of webmasters every month. Best of all, conducting a remote website scan is one of the easiest ways to identify security issues.
---------------------------------------------
https://blog.sucuri.net/2022/10/sitecheck-malware-trends-report-2022-q3.html
∗∗∗ Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers ∗∗∗
---------------------------------------------
Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail.
---------------------------------------------
https://thehackernews.com/2022/10/researchers-uncover-custom-backdoors.html
∗∗∗ VPN-Problem: Apple-Apps leaken Daten unter iOS ∗∗∗
---------------------------------------------
Der iPhone-VPN-Dienst scheint noch immer nicht sauber zu laufen. Ein Sicherheitsforscher warnt vor Leaks insbesondere aus Apple-eigenen Apps.
---------------------------------------------
https://heise.de/-7307198
∗∗∗ Top 5 ransomware detection techniques: Pros and cons of each ∗∗∗
---------------------------------------------
In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example.
---------------------------------------------
https://www.malwarebytes.com/blog/business/2022/10/top-5-ransomware-detecti…
∗∗∗ MS Enterprise app management service RCE. CVE-2022-35841 ∗∗∗
---------------------------------------------
TL;DR A remote command execution and local privilege escalation vulnerability has been fixed by Microsoft as part of September’s patch Tuesday. The vulnerability, filed under CVE-2022-35841, affects the Enterprise App Management Service which handles the installation of enterprise applications deployed via MDM.
---------------------------------------------
https://www.pentestpartners.com/security-blog/ms-enterprise-app-management-…
∗∗∗ Some Vulnerabilities Don’t Have a Name ∗∗∗
---------------------------------------------
There is a common assumption that all open source vulnerabilities hold a CVE. Still, others believe that the National Vulnerability Database (NVD) has the final word when deciding what is a vulnerability and what is not. However, can a vulnerability exist that isn’t tracked by a CVE, or is not in the NVD?
---------------------------------------------
https://checkmarx.com/blog/some-vulnerabilities-dont-have-a-name/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates: Kritische Lücken in WAN-Managementsystem von Aruba ∗∗∗
---------------------------------------------
Zwei kritische Schwachstellen in Aruba EdgeConnect Orchestrator gefährden Netzwerke.
---------------------------------------------
https://heise.de/-7307059
∗∗∗ CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface ∗∗∗
---------------------------------------------
An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0030
∗∗∗ Juniper Security Bulletins 2022-10-12 ∗∗∗
---------------------------------------------
Juniper has released 37 security advisories.
---------------------------------------------
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor…
∗∗∗ Schwachstelle in JavaScript-Sandbox vm2 erlaubt Ausbruch aus der Isolation ∗∗∗
---------------------------------------------
Wer eine Version kleiner 3.9.11 von vm2 verwendet, sollte die Sandbox aktualisieren, da eine Schwachstelle das Ausführen von Remote-Code auf dem Host erlaubt.
---------------------------------------------
https://heise.de/-7306752
∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslecks ∗∗∗
---------------------------------------------
In der Groupware Zimbra beheben die Entwickler mehrere sicherheitsrelevante Fehler. Angreifer könnten die Instanz kompromittieren oder ihre Rechte ausweiten.
---------------------------------------------
https://heise.de/-7307521
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libreoffice, rexical, ruby-nokogiri, and squid), Fedora (wavpack), Red Hat (expat), SUSE (gdcm, orthanc, orthanc-gdcm, orthanc-webviewer and rubygem-puma), and Ubuntu (GMP and unzip).
---------------------------------------------
https://lwn.net/Articles/911042/
∗∗∗ Trellix ePolicy Orchestrator: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Trellix ePolicy Orchestrator ausnutzen, um Dateien zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1700
∗∗∗ Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service ∗∗∗
---------------------------------------------
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
---------------------------------------------
http://blog.talosintelligence.com/2022/10/vuln-spotlight-robustel-router.ht…
∗∗∗ Sonicwall: GMS File Path Manipulation ∗∗∗
---------------------------------------------
An unauthenticated attacker can gain access to web directory containing applications binaries and configuration files through file path manipulation vulnerability.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0021
∗∗∗ Drupal: Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-058
∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
∗∗∗ Security Bulletin: Hortonworks DataFlow product has log messages vulnerable to arbitrary code execution, denial of service, and remote code execution due to Apache Log4j vulnerabilities [CVE-2021-44228], [CVE-2021-45105], and [CVE-2021-45046] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-hortonworks-dataflow-prod…
∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
∗∗∗ Security Bulletin: Vulnerabilities in Java affect IBM WIoTP MessageGateway (CVE-2021-213) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a…
∗∗∗ Dell BIOS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1705
∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1702
∗∗∗ Mitel MiVoice Connect: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1706
∗∗∗ Pulse Secure SA45520 - CVEs (CVE-2022-35254,CVE-2022-35258) may lead to DoS attack ∗∗∗
---------------------------------------------
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 11-10-2022 18:00 − Mittwoch 12-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Ein guter Tag für Freund:innen von Adobe Software und gepflegtem Patchen ∗∗∗
---------------------------------------------
Da kann man sich nicht beschweren: nicht nur eine kritische Lücke in Adobe Commerce und Magento Open Source (CVSS 10.0 - Highscore-verdächtig), sondern auch gleich deren mehrere in Adobe ColdFusion (unter Anderem 4x mit CVSS 9.8 und 1x mit 8.1). Nutzer:innen von Adobe Acrobat/Acrobat Reader kommen ebenfalls nicht zu kurz, auch wenn man dort dank Auto-Updates vielleicht nicht selbst so viel Spass mit dem Patchen hat. Und auch wenn ich nicht weiß, was (eine) Adobe Dimension ist: Admins haben dort 4x CVSS 7.8 - Freude.
---------------------------------------------
https://cert.at/de/blog/2022/10/ein-guter-tag-fur-freundinnen-von-adobe-sof…
∗∗∗ New npm timing attack could lead to supply chain attacks ∗∗∗
---------------------------------------------
Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-npm-timing-attack-could-…
∗∗∗ Malicious WhatsApp mod distributed through legitimate apps ∗∗∗
---------------------------------------------
The malicious version of YoWhatsApp messenger, containing Triada trojan, was spreading through ads in the popular Snaptube app and the Vidmate apps internal store.
---------------------------------------------
https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimat…
∗∗∗ Userland Execution of Binaries Directly from Python ∗∗∗
---------------------------------------------
TL;DR: If you are familiar with what a userland binary execution tool does and you just want to see the code and/or test it, skip the rest of this post and go to the project GitHubs page.
---------------------------------------------
https://www.anvilsecure.com/blog/userland-execution-of-binaries-directly-fr…
∗∗∗ A deep dive into CVE-2021–42847 - arbitrary file write and XXE in ManageEngine ADAudit Plus before 7006 ∗∗∗
---------------------------------------------
After coming across a vulnerable instance during a pentest, and discovering that no root cause analysis or PoC has ever been made available for this vulnerability, I decided to have a closer look myself.
---------------------------------------------
https://medium.com/@erik.wynter/pwning-manageengine-from-endpoint-to-exploi…
∗∗∗ Brute-Force-Angriffe: Microsoft rüstet Schutzmechanismus nach ∗∗∗
---------------------------------------------
Die Windows-Updates zum Oktober-Patchday haben auch eine neue Funktion mitgebracht. Sie sperrt lokale Administratorkonten bei fehlerhaften Log-in-Versuchen.
---------------------------------------------
https://heise.de/-7306276
∗∗∗ Abo-Falle bei der Wohnungssuche auf rentola.at ∗∗∗
---------------------------------------------
Sind Sie gerade auf Wohnungssuche? Dann nehmen Sie sich vor einem undurchsichtigen Abo-Vertrag auf rentola.at in Acht. Geworben wird mit unzähligen Wohnungen in ganz Österreich und auf der ganzen Welt. Für eine erste Nachricht an Vermieter:innen müssen Sie jedoch 1 Euro bezahlen. Ein versteckter Kostenhinweis verrät: Hier landen Sie in einem teuren Abonnement!
---------------------------------------------
https://www.watchlist-internet.at/news/abo-falle-bei-der-wohnungssuche-auf-…
∗∗∗ Qakbot Being Distributed as ISO Files Instead of Excel Macro ∗∗∗
---------------------------------------------
There is a recent increase in the distribution method of malware through ISO files. Among the malware, it has been identified that Qakbot, an online banking malware, has had its distribution method changed from Excel 4.0 Macro to ISO files.
---------------------------------------------
https://asec.ahnlab.com/en/39537/
∗∗∗ VMware vCenter Server bug disclosed last year still not patched ∗∗∗
---------------------------------------------
VMware informed customers today that vCenter Server 8.0 (the latest version) is still waiting for a patch to address a high-severity privilege escalation vulnerability disclosed in November 2021.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-vcenter-server-bug-di…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in Magento Open Source und Adobe Commerce - Updates verfügbar ∗∗∗
---------------------------------------------
Adobe hat Updates für die E-Commerce Software Suites Magento Open Source und Adobe Commerce herausgegeben. CVE-Nummer(n): CVE-2022-35698 CVSS Base Score: 10.0. Angreifer:innen können beliebigen Code auf betroffenen Systemen ausführen (vermutlich mit den Rechten des Webservers), und haben Zugriff auf alle Daten die im E-Commerce System gespeichert sind.
---------------------------------------------
https://cert.at/de/warnungen/2022/10/kritische-sicherheitslucke-in-magento-…
∗∗∗ Microsoft Security Update Summary (11. Oktober 2022) ∗∗∗
---------------------------------------------
Am 11. Oktober 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 84 Schwachstellen …
---------------------------------------------
https://www.borncity.com/blog/2022/10/11/microsoft-security-update-summary-…
∗∗∗ Exchange Server Sicherheitsupdates (11. Oktober 2022) ∗∗∗
---------------------------------------------
Microsoft hat zum 11. Oktober 2022 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Updates sollen Schwachstellen, die von externen Sicherheitspartnern gemeldet oder durch Microsoft gefunden wurden, schließen. Die seit Ende September 2022 bekannten 0-day-Schwachstellen (ProxyNotShell) werden aber nicht beseitigt.
---------------------------------------------
https://www.borncity.com/blog/2022/10/12/exchange-server-sicherheitsupdates…
∗∗∗ IBM Security Bulletins 2022-10-11 ∗∗∗
---------------------------------------------
IBM Robotic Process Automation, IBM App Connect Enterprise, IBM Security Identity Management, IBM Security Guardium, IBM Cloud Pak, Rational Change, IBM Navigator Mobile Android, Rational Synergy.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Schneider Elecronic Security Advisories 2022-10-11 ∗∗∗
---------------------------------------------
4 new, 8 updated
---------------------------------------------
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.…
∗∗∗ Webbrowser: Google schließt sechs Sicherheitslücken in Chrome ∗∗∗
---------------------------------------------
Google hat ein Update für den Webbrowser Chrome veröffentlicht. Es schließt insgesamt sechs Sicherheitslücken, von denen ein hohes Risiko ausgeht.
---------------------------------------------
https://heise.de/-7305732
∗∗∗ Fortinet-Patchday: Mehrere kritische Lücken geschlossen ∗∗∗
---------------------------------------------
Nachdem am Wochenende eine kritische Sicherheitslücke in Fortinet-Produkten bekannt wurde, hat das Unternehmen nun weitere Updates bereitgestellt.
---------------------------------------------
https://heise.de/-7306400
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (mediawiki and twig), Oracle (expat, gnutls and nettle, and kernel), Red Hat (expat, kernel, and kpatch-patch), and Ubuntu (advancecomp and dotnet6).
---------------------------------------------
https://lwn.net/Articles/910953/
∗∗∗ Zoom Video Communications: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter oder lokalerAngreifer kann mehrere Schwachstellen in Zoom Video Communications Zoom Client und Zoom Video Communications On-Premise ausnutzen, um einen Denial of Service Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1677
∗∗∗ LibreOffice: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in LibreOffice ausnutzen, um beliebigen Programmcode auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1679
∗∗∗ bingo!CMS vulnerable to authentication bypass ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN74592196/
∗∗∗ The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN40620121/
∗∗∗ VMSA-2022-0026 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0026.html
∗∗∗ WAGO: FTP-Server - Denial-of-Service ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-047/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 10-10-2022 18:00 − Dienstag 11-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Your Publicly Accessible Google API Key Could Be Giving Hackers Access to Your Files and Photos! ∗∗∗
---------------------------------------------
We’ve all seen them before, those long, seemingly random strings of characters starting with AIza. Yes, that’s right, the ubiquitous Google API key.
---------------------------------------------
https://spidersilk.com/news/your-publicly-accessible-google-api-key-could-b…
∗∗∗ Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack ∗∗∗
---------------------------------------------
Fortinet has confirmed that the critical vulnerability whose existence came to light last week is a zero-day flaw that has been exploited in at least one attack.
---------------------------------------------
https://www.securityweek.com/fortinet-confirms-zero-day-vulnerability-explo…
∗∗∗ Siemens Not Ruling Out Future Attacks Exploiting Global Private Keys for PLC Hacking ∗∗∗
---------------------------------------------
Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future.
---------------------------------------------
https://www.securityweek.com/siemens-not-ruling-out-future-attacks-exploiti…
∗∗∗ Living off the Cloud. Cloudy with a Chance of Exfiltration ∗∗∗
---------------------------------------------
Unless default settings are changed, typical Office 365 (O365) licences come loaded with various services that are all usable by end users without special permissions. Power Automate can be used maliciously by compromised users or insider threats to systematically capture and exfiltrate data without having to contend with network safeguards.
---------------------------------------------
https://www.pentestpartners.com/security-blog/living-off-the-cloud-cloudy-w…
∗∗∗ Betrügerisches Jobangebot auf santo-vermoegen.com ∗∗∗
---------------------------------------------
Auf „santo-vermoegen.com/infofolder“ sind aktuell freie Stellen als „Back Office Mitarbeiter“ ausgeschrieben. Der Job ist auch auf diversen Jobportalen inseriert. Die Beschreibung der Tätigkeit ist vage. Es geht lediglich hervor, dass Sie auf Ihrem privaten Bankkonto Zahlungen empfangen, protokollieren und weiterleiten. Vorsicht: Dabei handelt es sich um Geldwäsche, Sie machen sich strafbar!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerisches-jobangebot-auf-santo…
∗∗∗ Exchange Server: Neue 0-day (nicht NotProxyShell, CVE-2022-41040, CVE-2022-41082) ∗∗∗
---------------------------------------------
AhnLabs schreibt, dass theoretisch die Möglichkeit besteht, dass die von dem vietnamesischen Sicherheitsunternehmen GTSC am 28. September offengelegten Schwachstellen von Microsoft Exchange Server(CVE-2022-41040, CVE-2022-41082) für die Infektion ausgenutzt wurden. Aber die Angriffsmethode, der generierte WebShell-Dateiname, und nachfolgende Angriffe nach der Installation der WebShell lassen vermuten, dass ein anderer Angreifer eine andere Zero-Day-Schwachstelle ausgenutzt hat.
---------------------------------------------
https://www.borncity.com/blog/2022/10/11/exchange-server-neue-0-day-nicht-n…
∗∗∗ Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there ! ∗∗∗
---------------------------------------------
During the assessment of a PHP application, we recently came across a file upload vulnerability allowing the interpretation of PHP code inserted into valid PNG files. However, the image processing performed by the application forced us to dig deeper into the different techniques available to inject PHP payloads into this particular file format - and to make it persist through image transformations.
---------------------------------------------
https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Siemens Security Advisories ∗∗∗
---------------------------------------------
16 new, 11 updated
---------------------------------------------
https://new.siemens.com/global/en/products/services/cert.html?d=2022-10#Sec…
∗∗∗ IBM Security Bulletins 2022-10-10 ∗∗∗
---------------------------------------------
IBM Process Mining, z/Transaction Processing Facility, Content Manager OnDemand z/OS, IBM Sterling Connect.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Exchange Zero-Day-Lücke: Nochmals nachgebesserter Workaround ∗∗∗
---------------------------------------------
Microsoft bessert den Workaround für die Zero-Day-Lücke in Exchange noch mal nach. Admins bleibt nur zu hoffen, dass die jetzige Regel bis zum Update hält.
---------------------------------------------
https://heise.de/-7304522
∗∗∗ SAP-Patchday: 15 neue Sicherheitswarnungen im Oktober ∗∗∗
---------------------------------------------
Die von SAP zum Oktober-Patchday verfügbaren Updates schließen unter anderem zwei kritische Sicherheitslücken.
---------------------------------------------
https://heise.de/-7305149
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (connman, dbus, git, isc-dhcp, strongswan, and wordpress), Fedora (rubygem-pdfkit and seamonkey), Red Hat (gnutls, nettle, rh-ruby27-ruby, and rh-ruby30-ruby), SUSE (libgsasl, python, and snakeyaml), and Ubuntu (graphite2, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-bluefield, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe, linux-oracle, openssh, and pcre3).
---------------------------------------------
https://lwn.net/Articles/910828/
∗∗∗ iOS 16.0.3 freigegeben ∗∗∗
---------------------------------------------
Apple hat zum 10. Oktober 2022 iOS 16.0.3 für neuere iPhone-Modelle freigegeben. Es handelt sich um ein Sicherheitsupdate, welches die Sicherheitslücke CVE-2022-22658 in Mail beseitigen soll.
---------------------------------------------
https://www.borncity.com/blog/2022/10/11/ios-16-0-3-freigegeben/
∗∗∗ OpenSSL Security Advisory [11 October 2022] ∗∗∗
---------------------------------------------
https://www.openssl.org/news/secadv/20221011.txt
∗∗∗ Xen Security Advisory CVE-2022-33749 / XSA-413 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-413.html
∗∗∗ Xen Security Advisory CVE-2022-33748 / XSA-411 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-411.html
∗∗∗ Xen Security Advisory CVE-2022-33746 / XSA-410 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-410.html
∗∗∗ Xen Security Advisory CVE-2022-33747 / XSA-409 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-409.html
∗∗∗ PHOENIX CONTACT: Multiple Linux component vulnerabilities in PLCnext Firmware ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-046/
∗∗∗ Hashicorp Vagrant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1669
∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1663
∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-33748 & CVE-2022-33749 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX465146/citrix-hypervisor-security-bul…
∗∗∗ Altair HyperView Player ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-284-01
∗∗∗ Daikin Holdings Singapore Pte Ltd. SVMPC1 and SVMPC2 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-284-02
∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-284-03
∗∗∗ Lenovo: IPV6 VLAN Stacking Vulnerability ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500520-IPV6-VLAN-STACKING-VULN…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 07-10-2022 18:00 − Montag 10-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Fake adult sites push data wipers disguised as ransomware ∗∗∗
---------------------------------------------
Malicious adult websites push fake ransomware which, in reality, acts as a wiper that quietly tries to delete almost all of the data on your device.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-adult-sites-push-data-w…
∗∗∗ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server ∗∗∗
---------------------------------------------
A correction was made to the string in step 6 and step 9 in the URL Rewrite rule mitigation Option 3. Steps 8, 9, and 10 have updated images.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-z…
∗∗∗ That thing to help protect internet traffic from hijacking? Its broken ∗∗∗
---------------------------------------------
RPKI is supposed to verify network routes. Instead, heres how it could be subverted. An internet security mechanism called Resource Public Key Infrastructure (RPKI), intended to safeguard the routing of data traffic, is broken, according to security experts from Germanys ATHENE, the National Research Center for Applied Cybersecurity.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/10/09/internet_tra…
∗∗∗ Groupware: Kritische Codeschmuggel-Lücke in Zimbra wird angegriffen ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in der Groupware Zimbra erlaubt Angreifern, Schadcode einzuschleusen. Die Schwachstelle wird inzwischen angegriffen. Ein Workaround hilft.
---------------------------------------------
https://heise.de/-7289104
∗∗∗ Intel-CPU "Alder Lake": BIOS-Quellcode-Leak öffnet potenzielle Einfallstore ∗∗∗
---------------------------------------------
Rund 6 GByte BIOS-Daten für die CPU-Generation Core i-12000 sind Intel abhandengekommen. Darin enthalten ist Code für Sicherheitsmechanismen wie Boot Guard.
---------------------------------------------
https://heise.de/-7289262
∗∗∗ How to protect your Firefox saved passwords with a Primary Password ∗∗∗
---------------------------------------------
For better security, dont rely on browser syncing to manage your passwords. Heres a better way.
---------------------------------------------
https://www.zdnet.com/article/how-to-protect-your-firefox-saved-passwords-w…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in Fortinet Produkten - Updates verfügbar ∗∗∗
---------------------------------------------
Kritische Schwachstellen in Fortinet Produkten erlauben es Angreifenden, die Authentisierung zu umgehen und Aktionen mit Admin-Rechten auszuführen. CVE-Nummer(n): CVE-2022-40684 CVSS Base Score: 9.6.
---------------------------------------------
https://cert.at/de/warnungen/2022/10/kritische-sicherheitslucken-in-fortine…
∗∗∗ IBM Security Bulletins 2022-10-07 and 2022-10-08 ∗∗∗
---------------------------------------------
IBM Partner Engagement Manager, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Cloud, IBM Business Automation Workflow, IBM Security Verify Governance, IBM TXSeries, IBM Security Network Threat Analytics, IBM Security Verify Governance, IBM Jazz.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (knot-resolver and libpgjava), Fedora (booth, dotnet3.1, expat, nheko, php-twig, php-twig2, php-twig3, poppler, python-joblib, and seamonkey), Mageia (colord, dbus, enlightenment, kitty, libvncserver, php, python3, and unbound), Slackware (libksba), SUSE (cyrus-sasl, ImageMagick, and xmlgraphics-commons), and Ubuntu (nginx and thunderbird).
---------------------------------------------
https://lwn.net/Articles/910724/
∗∗∗ Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library ∗∗∗
---------------------------------------------
A critical vulnerability in vm2 may allow a remote attacker to escape the sandbox and execute arbitrary code on the host. A highly popular JavaScript sandbox library with more than 16 million monthly downloads, vm2 supports the execution of untrusted code synchronously in a single process.
---------------------------------------------
https://www.securityweek.com/critical-remote-code-execution-vulnerability-f…
∗∗∗ MISP 2.4.164 released with new tag relationship feature, improvements and a security fix ∗∗∗
---------------------------------------------
We are pleased to announce the immediate availability of MISP v2.4.164 with a new tag relationship features, many improvements and a security fix.
---------------------------------------------
https://www.misp-project.org/2022/10/10/MISP.2.4.164.released.html/
∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein lokaler oder entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Trend Micro Apex One ausnutzen, um seine Privilegien zu erhöhen und Sicherheitsmaßnahmen zu umgehen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1649
∗∗∗ ZDI-22-1399: Centreon Poller Broker SQL Injection Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1399/
∗∗∗ ZDI-22-1398: Centreon Contact Group SQL Injection Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1398/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 06-10-2022 18:00 − Freitag 07-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Powershell Backdoor with DGA Capability, (Fri, Oct 7th) ∗∗∗
---------------------------------------------
DGA ("Domain Generation Algorithm") is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period. An alternative is to generate a lot of domains and loop across them to find an available C2 server. Attackers just register a few domain names and can change them very quickly.
---------------------------------------------
https://isc.sans.edu/diary/rss/29122
∗∗∗ What is a Malware Attack? ∗∗∗
---------------------------------------------
A malware attack is the act of injecting malicious software to infiltrate and execute unauthorized commands within a victim’s system without their knowledge or authorization. The objectives of such an attack can vary – from stealing client information to sell as lead sources, obtaining system information for personal gain, bringing a site down to stop business or even just placing the mark of a cyber-criminal on a public domain.
---------------------------------------------
https://blog.sucuri.net/2022/10/what-is-a-malware-attack.html
∗∗∗ Loads of PostgreSQL systems are sitting on the internet without SSL encryption ∗∗∗
---------------------------------------------
They probably shouldnt be connected in the first place, says database expert. Only a third of PostgreSQL databases connected to the internet use SSL for encrypted messaging, according to a cloud database provider.
---------------------------------------------
https://www.theregister.com/2022/10/07/postgresql_no_ssl/
∗∗∗ Top CVEs Actively Exploited By [..] State-Sponsored Cyber Actors ∗∗∗
---------------------------------------------
This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by [..] state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI).
---------------------------------------------
https://www.cisa.gov/uscert/ncas/alerts/aa22-279a
∗∗∗ So schützen Sie sich vor Kleinanzeigen-Betrug ∗∗∗
---------------------------------------------
Egal ob Sie kaufen oder verkaufen: Schützen Sie sich auf Kleinanzeigen-Plattformen wie Willhaben, ebay, Vinted und Co. vor Kriminellen. Mit Fake-Profilen, gefälschten Zahlungsbestätigungen oder unechten Zahlungsplattformen zocken Kriminelle immer wieder Nutzer:innen ab. Wir geben Ihnen Tipps zum sicheren Kaufen und Verkaufen.
---------------------------------------------
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-kleinanzei…
∗∗∗ Exchange Hacks: Achtung, gut gemachte, bösartige Mails im Umlauf (7. Oktober 2022) ∗∗∗
---------------------------------------------
Die Woche wurden Administratoren von Exchange-Servern ja durch die Ende September 2022 bekannt gewordene 0-day-Schwachstellen und die Workarounds von Microsoft ziemlich gefordert. Inzwischen versuchen Cyber-Kriminelle aus dieser Situation Kapital zu schlagen.
---------------------------------------------
https://www.borncity.com/blog/2022/10/07/exchange-hacks-achtung-gut-gemacht…
=====================
= Vulnerabilities =
=====================
∗∗∗ Remote Code Execution in Zimbra Collaboration Suite - Workaround verfügbar ∗∗∗
---------------------------------------------
Eine kritische Schwachstelle in Zimbra Collaboration Suite erlaubt potentiell entfernten, unauthorisierten Angreifer:innen das Ausführen von beliebigem Code. Laut diversen Berichten wird diese Schwachstelle bereits aktiv ausgenutzt. Das Ausnützen der Schwachstelle durch senden einer Email mit speziell präparierten Anhängen in den Formaten .cpio, .tar, .rpm kann zu einer vollständigen Kompromittierung des Systems führen.
---------------------------------------------
https://cert.at/de/warnungen/2022/10/remote-code-execution-in-zimbra-collab…
∗∗∗ Fortinet warns admins to patch critical auth bypass bug immediately ∗∗∗
---------------------------------------------
Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-pat…
∗∗∗ Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes ∗∗∗
---------------------------------------------
An attacker may trivially bypass the use of InetAddress::getAllByName to validate inputs. Note: As input validation is not an appropriate mechanism to protect against injection attacks — as opposed to output encoding and Harvard architecture-style APIs — this issue is itself considered to be of Low risk as code relying on the documented validation for such purposes should be considered insecure regardless of this issue.
---------------------------------------------
https://research.nccgroup.com/2022/10/06/technical-advisory-openjdk-weak-pa…
∗∗∗ Angreifer könnten Cisco-Admins manipulierte Updates unterschieben ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für unter anderem Cisco Expressway Series und TelePresence Video Communication Server erschienen.
---------------------------------------------
https://heise.de/-7286880
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dbus, isc-dhcp, and strongswan), Fedora (booth, php, php-twig, php-twig2, and php-twig3), Oracle (expat, prometheus-jmx-exporter, and squid), Red Hat (expat, openvswitch2.11, and squid), Scientific Linux (expat and squid), SUSE (exiv2, LibVNCServer, postgresql-jdbc, protobuf, python-PyJWT, python3, slurm, squid, and webkit2gtk3), and Ubuntu (libreoffice).
---------------------------------------------
https://lwn.net/Articles/910606/
∗∗∗ VMware Patches Code Execution Vulnerability in vCenter Server ∗∗∗
---------------------------------------------
Virtualization giant VMware on Thursday announced patches for a vCenter Server vulnerability that could lead to arbitrary code execution. A centralized management utility, the vCenter Server is used for controlling virtual machines and ESXi hosts, along with their dependent components. Tracked as CVE-2022-31680 (CVSS score of 7.2), the security bug is described as an unsafe deserialization vulnerability in the platform services controller (PSC).
---------------------------------------------
https://www.securityweek.com/vmware-patches-code-execution-vulnerability-vc…
∗∗∗ Growi vulnerable to improper access control ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN00845253/
∗∗∗ IPFire WebUI vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN15411362/
∗∗∗ Security Bulletin: IBM InfoSphere Information Server Low Level Authenticated User Can View Higher Level User And Group Listing (CVE-2022-36772) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio…
∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea…
∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a session management vulnerability (CVE-2022-41291) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio…
∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy…
∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec…
∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1638
∗∗∗ Avaya Aura Application Enablement Services: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1645
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 05-10-2022 18:00 − Donnerstag 06-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast ∗∗∗
---------------------------------------------
With just one malformed Zigbee frame, attackers could take over certain Ikea smart lightbulbs, leaving users unable to turn the lights down.
---------------------------------------------
https://www.darkreading.com/application-security/ikea-smart-light-system-fl…
∗∗∗ Ransomware: Sicherheitssoftware mit legitimem Treiber deaktiviert ∗∗∗
---------------------------------------------
Die Ransomware Blackbyte nutzt die Angriffstechnik Bring your own vulnerable Driver, um Antivirensoftware zu deaktivieren.
---------------------------------------------
https://www.golem.de/news/ransomware-sicherheitssoftware-mit-legitimem-trei…
∗∗∗ A look at the 2020–2022 ATM/PoS malware landscape ∗∗∗
---------------------------------------------
We looked at the number of affected ATMs and PoS terminals, geography of attacks and threat families used by cybercriminals to target victims in 2020-2022.
---------------------------------------------
https://securelist.com/atm-pos-malware-landscape-2020-2022/107656/
∗∗∗ Detecting and preventing LSASS credential dumping attacks ∗∗∗
---------------------------------------------
In this blog, we share examples of various threat actors that we’ve recently observed using the LSASS credential dumping technique. [..] Finally, we offer additional recommendations to further harden systems and prevent attackers from taking advantage of possible misconfigurations should they fail to leverage credential dumping.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing…
∗∗∗ MSSQL, meet Maggie ∗∗∗
---------------------------------------------
Continuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. [Keine kompromittierten Systeme in AT angeführt, Anm. d. Red.]
---------------------------------------------
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
∗∗∗ CVE-2022–36635 — A SQL Injection in ZKSecurityBio to RCE ∗∗∗
---------------------------------------------
This is a write-up of CVE-2022–36635: SQLInjection found in a platform of physical security (access control, elevator control, guest management, patrol and parking management) called ZKSecurity Bio v4.1.3 and how it was used to obtain a RCE.
---------------------------------------------
https://medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-…
∗∗∗ Exchange Zero-Day: Microsoft bessert Workaround erneut nach ∗∗∗
---------------------------------------------
Nachdem der erste Workaround für eine Exchange Zero-Day-Lücke wirkungslos war und Microsoft nachbesserte, hat der Hersteller abermals eine Korrektur vorgelegt.
---------------------------------------------
https://heise.de/-7285558
∗∗∗ Gratis Entschlüsselungstool: Lücke in Ransomwares der Hades-Familie entdeckt ∗∗∗
---------------------------------------------
Opfer einiger Erpressungstrojan der der Hades-Familie wie MafiaWare666 können unter bestimmten Voraussetzungen wieder auf ihre Daten zugreifen.
---------------------------------------------
https://heise.de/-7285784
∗∗∗ Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style ∗∗∗
---------------------------------------------
Hidden DNS resolvers and how to compromise your infrastructure
---------------------------------------------
https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-you…
∗∗∗ ESET Threat Report T2 2022 ∗∗∗
---------------------------------------------
Ein Blick auf die Bedrohungslandschaft im zweiten Drittel des Jahres 2022 aus Sicht der ESET-Telemetrie und aus der Perspektive der ESET-Experten.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/10/05/eset-threat-report-t2-202…
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2022-41343 - RCE via Phar Deserialisation (Dompdf) ∗∗∗
---------------------------------------------
Dompdf is a popular library in PHP used for rendering PDF files from HTML. Tanto Security disclosed a vulnerability in Dompdf affecting version 2.0.0 and below. The vulnerability was patched in Dompdf v2.0.1. We recommend all Dompdf users update to the latest version as soon as possible.
---------------------------------------------
https://tantosec.com/blog/cve-2022-41343/
∗∗∗ Cisco Security Advisories 2022-10-05 ∗∗∗
---------------------------------------------
Cisco published 9 Security Advisories (2 High, 7 Medium Severity)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4).
---------------------------------------------
https://lwn.net/Articles/910492/
∗∗∗ Internet Systems Consortium DHCP: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Internet Systems Consortium DHCP ausnutzen, um einen Denial of Service Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1634
∗∗∗ Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-busines…
∗∗∗ Security Bulletin: IBM QRadar DNS Analyzer App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-31129, CVE-2022-24785, CVE-2017-18214) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-dns-analyzer-a…
∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2021-40690, CVE-2022-25647, XFID: 233967) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo…
∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to arbitrary code execution due to Expat (CVE-2022-40674) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulner…
∗∗∗ K10812540: OpenJDK vulnerability CVE-2019-18197 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K10812540?utm_source=f5support&utm_mediu…
∗∗∗ Rockwell Automation FactoryTalk VantagePoint ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-279-01
∗∗∗ HIWIN Robot System Software (HRSS) ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-279-02
∗∗∗ Schwachstelle in SPRECON-V460 Visualisierungssoftware ∗∗∗
---------------------------------------------
https://www.sprecher-automation.com/it-sicherheit/security-alerts
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily